How solid a job is a cybersecurity organization doing? There’s no easy answer to that question. Not experiencing a breach that lands the organization on the front page of the Wall St. Journal is a good start, but it’s not an ideal metric. Maybe there’s a breach hasn’t yet been discovered; maybe the enterprise isn’t quite as juicy a target as its top competitor. In other words, what may look like a successful (or unsuccessful) security organization is often just a matter of luck.
A better approach to assessing the quality of one’s cybersecurity organization is the concept of maturity. Is your organization structured and funded in a way that leads to proven success? Are you deploying technologies that lead to successful cybersecurity? Are you investing in the right areas? And above all, how do you determine the “right” answer to these questions?
To assist in all of the above, Nemertes Research have developed a Security Maturity Model based on decades of experience and intensive research. Our maturity model includes four levels: Unprepared, reactive, proactive, and anticipatory. Across each salient dimension - budgeting and procurement, organization, planning, and technology - we mapped the benchmark participants into those four levels. We determined which characteristics align with each level in each dimension.
The result is a model that enterprise organizations can use to assess their security maturity, and more importantly, to determine what steps to take to improve that maturity.
2. Executive Summary
3. The Issue: Rating The Effectiveness Of An Infosec Organization
4. The Nemertes Security Maturity Model
5. Level 0: Unprepared
6. Level 1: Reactive
7. Level 2: Proactive
8. Level 3: Anticipatory
9. Maturity Model Elements
10. Budgeting And Investment
11. Procurement Strategy
12. Big Rock 10 Best-In-Breed
16. Technology Planning Maturity: Security Architecture
17. Technology Planning Maturity: Security Roadmap 15 Interaction With Business
18. Bellwether Technologies (And Why They Matter)
19. What Is A “Bellwether Technology”?
20. Information Security Bellwether Technologies
21. The Definition Of “Success”
22. Conclusion And Recommendations
23. Appendix: Methodology
24. Company Size: Revenue
25. Company Size: Employees
26. Participants: By Industry
27. Participants: By Title
28. Participants: By It Culture